Digital forensics are an essential part of investigations in the modern world—investigators must be able to extract and analyze data from the countless devices used in everyday life, many of which will inevitably end up in the hands of a victim or perpetrator, or at a crime scene.

The tools needed to collect vital evidence from cellphones, tablets, computers and other devices are obviously different from those used to collect physical evidence like hairs, fibers, fingerprints and DNA. But, like physical evidence, it is still important to handle virtual evidence with care, to avoid any corruption and contamination that can occur in the acquisition process. Additionally, like lab technicians running DNA or toxicology tests, investigators working with digital evidence want to generate the most accurate results as efficiently as possible.

Digital forensics tools have been advancing and evolving along with the devices they are tasked with examining. Last week, two U.S. government agencies announced new features to the toolkits they each provide to digital forensics investigators. The National Institute of Standards and Technology (NIST) added write blocker testing to its suite of federated testing tools, while the Department of Homeland Security Science and Technology Directorate (DHS S&T) announced it is planning to make several improvements to the open-source digital forensics platform Autopsy, based on the suggestions of law enforcement already using the tool.

NIST Tool Aims for Error-free Evidence Copies

In many cases, investigators will have to copy digital evidence, such as that from a perpetrator’s computer or phone, onto their own device in order to analyze it efficiently. This copying process comes with some risk of evidence becoming corrupted or contaminated somehow by information passing between machines. This is why NIST created their federating testing tools, which investigators can use to make sure whatever they’re using to extract and copy data is working without any errors that could be fatal to a potential prosecution.

The most recent addition to this suite of tools is a testing tool for write blockers, devices that establish a one-way path between where the evidence is coming from and what it is being copied to. Barbara Guttman, leader of the Software Quality Group at NIST who helped to develop the testing tools, spoke with me about the new addition and its importance to investigators.

“A lot of write blockers on the market today are very sophisticated, but because they’re such a critical part of evidence preservation, people really want to make sure they’re getting it right,” she said. “You don’t want to accidentally change the evidence, so the protocol in a lot of labs is to test their write blocker pretty often.”

Guttman said that the testing tools look for “the kinds of things that are most likely to go wrong” in each extraction scenario, whether it be copying data from a computer disk, or from a mobile phone or a tablet. NIST also allows agencies to share the reports from their tools with other investigators, so that agencies using the same machines and software do not always need to run the test themselves.

“Because the test reports are shareable, it could save them a lot of time, because they could use somebody else’s report. It’s sort of crazy to have everybody testing the same thing when they could just share the results,” Guttman said. “Anything we can do to help them both increase quality and save time seems like a winner.”

The write blocker tool is the third federated testing tool made available by NIST. The first tool is used to test software for copying computer disks. The second, which was released this summer, is used to test software for extracting data from mobile devices, including smartphones and tablets. Guttman said NIST is looking to add more testing tools in the future, including a test for string searching and approximate matching functions, and for wiping disks clean for reuse, as to not have evidence from a previous case contaminate evidence for a new case.

Autopsy is an open-source digital forensics platform that has been available for a decade and a half; it allows investigators to examine a computer or mobile device and potentially find important evidence for a criminal case. DHS S&T has cooperated with the creators of Autopsy, Basis Technology, to develop and incorporate modules specifically designed for law enforcement, and the base platform is free for all to download.

In an upcoming update recently announced by DHS S&T, Autopsy will become even easier for law enforcement to use, with new features like better timeline visualization, a framework for analyzing digital communications, and an enhanced image and video analysis function being developed. The developers based these planned improvements on the results of a survey that asked law enforcement agencies what their greatest and most time-consuming challenges were.

“The enhancements will substantially increase Autopsy’s ease-of-use for law enforcement agencies,” Megan Mahle, the program manager of S&T’s Cyber Security Forensics project, said in a DHS news release. “The modules we’re focusing on through our effort will add new functionalities and promote flexibility for use by each law enforcement investigator.”

A screenshot of the Autopsy timeline analysis. The timeline analysis helps a user understand when items such as call logs, location information, text and email messages, images, and audio and video recordings were accessed on an examined device. (Screenshot: Courtesy of the Department of Homeland Security Science and Technology Directorate)

The new timeline visualization tool will let investigators create and highlight events and filter their timeline by file type, and will integrate with open-source parsing tools to further ease the organization of chronological events on a device. The new communication analysis framework will include a more easy-to-use interface for viewing messages and drawing connections between accounts, and the advanced image analysis function will more efficiently analyze large amounts of photo and video data that may be present on a device’s hard drive.

Autopsy contains many other features, including registry analysis, web artifact extraction, file type detection and sorting, a keyword search function, and the ability for multiple users to work collectively on one case. A special law-enforcement-only module even integrates data from Project Vic and C4P, which allows investigators to identify known images of child exploitation on a device. According to DHS S&T, users across the world download Autopsy approximately 4,000 times each week.

The current version of Autopsy’s basic platform can be downloaded here.